Project

General

Profile

Actions

Security #2736

closed

DNS Golden Transaction ID - detection bypass

Added by Alexey Vishnyakov over 5 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Label:
Git IDs:

8357ef3f8ffc7d99ef6571350724160de356158b

Severity:
Disclosure Date:

Description

Hello, team!

I've found an interesting problem in DNS protocol related to Transaction ID header field

I made a signature:

alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, DDNS"; \
content:"|04|ddns|03|net|00|"; \
classtype:trojan-activity; \
sid:1; rev:1;)

Please, find a pcap dump in attached archive: 23_6594.pcap
It contains only one packet extracted from a public sandbox.
A signature doesn't match!

I investigated this case a bit and found that for a specific range of Transaction ID values (0x6000, 0x6001, ..., 0x6010, ... 0x6594, 0x6595 and maybe more) detection still absent.
But if we choose something like 0x5FFF as example - detection will be.

I tried some another domain (as example, which is longer on 1 symbol) - and for previous Transaction ID values detection appears.
So, seems that some kind of Transaction ID influence happened.
I made a following game:

  • I've generated 65536 different pcaps for a domain in 23_6594.pcap with all possible Transaction ID values
  • I've scanned them all... and found one more magic Transaction ID value: 0x0400. More than that:
    - pcap with Transaction ID = 0x03FF - detected (23_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (23_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (23_0401.pcap)
  • Then I've reduced an original domain length, generated 65535 pcaps, scanned them... and found the same magic ID: 0x0400. And:
    - pcap with Transaction ID = 0x03FF - detected (22_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (22_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (22_0401.pcap)
  • Then I've increased an original domain length, again generated 65535 pcaps, again scanned them... and again :) found the same magic ID: 0x0400. And:
    - pcap with Transaction ID = 0x03FF - detected (24_03FF.pcap)
    - pcap with Transaction ID = 0x0400 - not detected (24_0400.pcap)
    - pcap with Transaction ID = 0x0401 - detected (24_0401.pcap)

Finally I just made the nslookup of "suricata-ids.org" domain (suricata.original.pcap). Fortunately, the Transaction ID was small and I reproduced a detection with following rule:

alert dns any any -> any 53 ( \
msg:"DNS - Transaction ID problem, suricata"; \
content:"suricata"; \
classtype:trojan-activity; \
sid:2; rev:1;)

Than I changed the Transaction ID to 0x4000 - no detection (suricata.0400.pcap)
I changed it to 0x4001 - detection appears again (suricata.0401.pcap)

I've tested the 0x4000 magic Transaction ID with different domains (DGA - situation is the same)
Seems that we have a reliable approach to perform an information transport via the DNS tunneling without detection in DNS protocol

Could you confirm that?

Thank you
Sincerely yours, Alexey Vishnyakov


Files

dns.zip (3.36 KB) dns.zip Alexey Vishnyakov, 12/11/2018 03:29 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #2827: DNS Golden Transaction ID - detection bypass (4.0.x)ClosedVictor JulienActions
Actions #1

Updated by Alexey Vishnyakov over 5 years ago

Actions #2

Updated by Victor Julien over 5 years ago

  • Assignee set to Victor Julien

Both are known weaknesses in protocol detection. The magic 0x4000 triggers the dcerpc protocol detection, so Suricata then considers it dcerpc. This really requires a rewrite/upgrade of the protocol detection engine. This is something we hope to do for 5.0. I'll see if I can create some hack to fix this specific issue.

The 6594 pcap triggers the teredo detection. We've had issues with this before. I'm trying to see if I can make the teredo probing stricter.

Actions #3

Updated by Victor Julien over 5 years ago

  • Status changed from New to Assigned
  • Target version set to 4.1.2
Actions #4

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
Actions #5

Updated by Victor Julien about 5 years ago

  • Copied to Bug #2827: DNS Golden Transaction ID - detection bypass (4.0.x) added
Actions #6

Updated by Victor Julien over 3 years ago

  • Tracker changed from Bug to Security
  • CVE set to 2019-1010251
  • Git IDs updated (diff)
Actions

Also available in: Atom PDF